The first PC virus, Brain, appeared in 1986. Brain was a boot sector virus. Boot sector viruses work by modifying the first sector on floppy disks. The life-cycle of a boot sector virus is as follows: the virus executes, and loads its code into memory, when a user boots from an infected disk. The disk doesn’t have to be a system disk: any disk will do. In most cases, the user doesn’t mean to boot from the disk at all. Typically, they simply forget to remove the disk when they shut down the machine and then forgot it’s there when they boot up the next day. If the BIOS is configured to boot from floppy disk (and, of course, a growing number of PCs these days do not come with a floppy disk drive) the system detects the disk in drive A and automatically loads whatever code is in the boot sector: in the case of an infected disk, the virus. The user realizes they’ve tried to boot from floppy disk by mistake when they see the message ‘Non system disk or disk error, replace and press any key when ready’. They then remove the disk and continue working, suspecting nothing about what has just happened. What happens next depends on the operating system being used. Boot sector viruses infect at a BIOS level, before the operating system is loaded. So they’re operating system independent. However, they use DOS calls to go memory resident and spread to other floppy disks: if the operating system doesn’t support DOS, they don’t get the chance to load and spread. They’re effectively sidelined by any operating system other than DOS, Windows 3.x (which sits on top of DOS) or Windows 9x (which may sometimes use DOS access to floppy disks). The only damage they can do on other operating systems is if the virus is coded to carry out any damage routine at a BIOS level, before the operating system loads. This is true of Michelangelo, for example, which overwrites the start of the hard drive as soon as the PC is booted on 6 March ... before the operating system loads.
The writers of boot sector viruses had no need to implement social engineering tricks to spread their creations. On the contrary, very little user interaction was required beyond inadvertently leaving an infected floppy disk in the drive. At the time, floppy disks were the main means of transferring data from computer to computer and from user to user. So it was almost inevitable that, sooner or later, the user would pass on an infected floppy disk to a friend, colleague or customer and spread the virus.
In the years that followed the appearance of Brain, boot sector viruses were further refined and developed. Whereas Brain infected floppy disks only, most of its successors were designed to infect the hard disk also. In most cases, this meant writing code to the MBR (Master Boot Record). Some, however (notably Form), infected the boot sector of the hard disk. And a small number (e.g. Purcyst) infected both the MBR and the boot sector.
DOS file viruses
Until 1995, boot sector viruses represented around 70% of all infections found in the field. However, they weren’t the only type of virus. This period also saw the emergence of viruses designed to infect DOS executable files, first COM files, then later EXE files. These viruses modified the host file in such a way that the virus code ran automatically when the program was run. There were many different methods used to infect files.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.